For most server tasks, the original Raspberry Pi was completely inappropriate. The problem was its low CPU and I / O speed, as well as the small memory. These three components reduced the possibilities. This has changed with Raspberry Pi 3 B. Both CPU speed and memory are optimal for typical server tasks. At the same time, the power consumption is so low that it plays no role in continuous operation.
However, there is a limitation. The connection of the network interface is not optimal. It hangs on the internal USB. If you connect even more USB devices, then it also limits the speed of the network interface.
If you want to operate Raspberry Pi as a server, gateway or router permanently (24/7), then you have to pay attention to a few things. Some things are especially true for Raspberry Pi. Other things generally apply to continuous operation, even to other systems that act as servers, gateways or routers.
The following notes and measures refer to optimizing Raspberry Pi and improving security. Optimization is mainly about stability and rudimentary performance enhancements. Safety is about making continuous operation safer. This is necessary because Raspberry Pi is not configured securely enough, depending on the Linux distribution used.
All optimization and safety measures are optional. This means that none of the measures must necessarily take place. One should only be aware of the consequences that can result from the omission of one or the other measure.
Anyone who permanently operates a Raspberry Pi also assumes responsibility for damages and consequences. Even if Raspberry Pi runs unattended.
Step by step: Setting up Raspberry Pi as a server
If you want to set up Raspberry Pi as a server, then use it in the headless mode, then depending on individual preferences to make some configuration steps.
Overview: Raspberry Pi as a server
- Equipment for continuous operation
- Optimization for continuous operation
- Server security in continuous operation
Overview: Equipment for continuous operation
In continuous operation, it’s mainly about Raspberry Pi running stably. Nothing is more annoying than when Raspberry Pi stops operating because of errors occurring or has dropouts. In such a case troubleshooting can be annoying. Not infrequently it happens that you can not find out anything about the cause of the error, so do not adjust the error and therefore can not work out a solution.
To avoid this, here are a few recommendations regarding the features of Raspberry Pi.
Basically you should use a good power supply. There are always reports in various forums that a Raspberry Pi is not working properly or is unstable. In most cases, the power adapter is to blame. Therefore, do not save on the power supply if Raspberry Pi is to run as a server in continuous operation.
SD memory cards are extremely cheap. As everyone can imagine, the quality here is wide-ranging. One must know that SD memory cards are actually intended for use in digital cameras and other mobile devices. There are virtually no complications, because read and write accesses occur rarely and to a small extent.
Quite different than data storage for Raspberry Pi. The operating system running on it repeatedly writes, albeit to a lesser extent, data on the SD card, which of course takes up more of the memory cells than if only occasionally stored a photo file in a digital camera becomes. More write accesses also lead to faster wear and faster failure. In continuous operation, this will happen much faster. For this reason, one should not take the cheapest and smallest SD card, but choose a better model of a brand manufacturer and with generously dimensioned storage capacity.
Overview: Optimization for continuous operation (headless configuration)
Raspberry Pi as a server in continuous operation usually runs without screen, keyboard and mouse. This is referred to as “headless”, respectively headless operation, which is why a special headless configuration is worthwhile. Mainly in terms of stability and performance.
- Outsource or back up data
- Optimize storage distribution
- Disable unnecessary services
- Disable swapping
Otherwise, you can outsource log files and other temporary files to RAM to minimize write access and renounce the entry of access times per file (noatime).
Optimization: Outsource or save data
Because SD memory cards are far from reliable, they are not suitable in a Raspberry Pi for permanently storing data that is generated on a regular basis. There are also cases where poor power to Raspberry Pi can cause file system conflicts and data loss. In principle, the permanent operation of a Raspberry Pi always requires the loss of data. Therefore, data should be stored on a more reliable USB stick, networked on a NAS or in the cloud.
A middle ground is, if one saves the data on the SD card and additionally makes a backup of the data on a USB stick once a day automatically. This does not extend the life of the SD card, but at least has a backup if the SD card ever makes problems.
Optimization: storage distribution
The SDRAM on Raspberry Pi is a so-called “shared memory”. That is, a large portion is used for CPU memory and only a small portion is used for the graphics memory of the GPU. By default, the GPU memory is 64 MB in size. Because you do not need the graphical window manager in server or headless mode, you can optimize the memory distribution in favor of the main memory.
Optimization: Switch off unneeded services
In the course of performance and memory optimization, it is also about identifying unneeded services that are activated and, if necessary, switching them off. This can save processor power and memory.
Optimization: disable swapping
If you have optimized the memory distribution of Raspberry Pi, then you can consider whether to turn off the swapping.
On a server, swapping can be useful, but also useless. Especially with Raspberry Pi, swapping is actually counterproductive. Swapping increases the number of write accesses to the storage medium on which the swap memory is located. The operating system and the swap memory are located on Raspberry Pi on an SD memory card that can handle only a limited number of write accesses. This shortens the life of the SD card. SD cards are therefore not suitable for swapping at all. Especially not if Raspberry Pi should run permanently and for as long as possible without disruption. Another reason to avoid swapping is the limited speed of SD memory cards. This makes the swapping on Raspberry Pi slow. You may therefore be able to do without swapping.
Overview: Server Security
A standard installation of a Raspberry Pi with Raspbian on a local network is reasonably safe from the outside. However, one must always assume that an attacker is in his own local network or can get access. Especially if you operate a WLAN. The problem is not the uninvited guests who want to hack, but friends who bring their insecure clients. Who knows what Trojans and worms are on it and break holes in the firewall.
The security problems presented here are in some way a matter of opinion in their severity. Therefore you do not necessarily have to follow the solutions here. However, there are constellations where you can not ignore the described security problems. Especially not if you operate Raspberry Pi permanently and it is still accessible from the Internet. But even if Raspberry Pi can only be reached in the local network, one should strive for a higher security, because one must assume that an attacker can gain access to the local network, or in the worst case has already procured.
- Root Access
- Standard users and passwords
- Unnecessary software
- Update
- SSH access
Note: Not all security issues presented here are a real problem. And not all measures make sense anyway. And the solutions and proposals are not set in stone either. You have to look for the proportionality. Some measures can also cause you to lock yourself out, to destroy an already functioning and configured system, which may not be the solution.
It is not necessary to turn a Raspberry Pi into a high-security area. It is usually enough to set up a few defenses or security measures to increase the intrusion effort and make the server unattractive. As a rule, then, intruders use their resources for easier-to-reach victims.
Security issue: Root access
The user “root” is a standard user located in every Linux system. This username is not only known, but also with unrestricted rights. Now you only need the password, which can be found with sufficient time, also automated.
As far as root access to a system is concerned, one can be divided. There is a belief that compromising a server is a must if an intruder with any identity can gain root access.
With a Raspbian it is the case that the standard user “pi” can get root rights via “sudo” at any time. And that without entering the root password. It may be useful to put a stop to this constellation. The user, but also the attacker, then needs two passwords. Once the user and then the password of “root”, if he wants to have root rights.
Security Issue: Default Users and Default Passwords
The default users and their default passwords in Linux distributions are fine from the perspective of an attacker. They facilitate access. Since standard user passwords and passwords are documented, they pose a significant security risk.
Raspbian does not set a password for the user “root” and thus can not access it unless it has been subsequently changed. For user “pi”, “raspberry” is set as the default password. Generally it is recommended to assign a new password for the user “pi” during the initial configuration. If you do not do that, then you risk allowing an attacker to gain access with the user “pi” and the default password “raspberry”.
You do not have to see that as a serious problem. It depends on the use of Raspberry Pi. Just so much is mentioned that there are some tutorials that make Raspberry Pi to the VPN gateway or wireless access point. One should be aware that Raspberry Pi may be reachable externally via SSH. It rips with SSH a vulnerability in the network when a default user has a default password. In particular, the user “pi” is at risk because it is always present.
Standard usernames with standard passwords are typical security vulnerabilities. Worse are only passwords that you can not change.
Security Issue: Unnecessary Software
Safe operation of a Raspberry Pi as a server requires only the applications that are required for its operation to be installed on it. A standard distribution, such as Raspbian, is not a good basis for running a server, because there is so much pre-installed here that you do not know anything in detail and what you can not control.
However, the unused applications do not represent a security problem. However, it can not be ruled out that an attacker will not find a way to identify and exploit a vulnerability via an unused application. That is why a standard distribution as a server operating system actually exits.
We recommend a special server distribution or a minimal image of a Linux distribution.
As a rule, a server should only contain exactly the software it needs to perform its task; each additional package represents a potential security or performance risk.
All components that are not needed should be turned off, better uninstalled, to prevent intruders to offer little attack surface.
Security issue: Outdated software
If an attacker does not enter the system through the usual authentication channels, then he will tap the implementation for vulnerabilities. For example, in which he informs about current security vulnerabilities in the version of the implementation. New versions are generally released with bug fixes to described vulnerabilities. Attackers use this information to search the Internet for servers and software that have these holes.
Therefore, it is advisable to regularly install new updates. It may be true that the new version also contains security holes, but that’s not known then. Whenever they become known, a new update usually comes out in a timely manner, solving the problem. If you keep your software up to date you have a fairly secure software side.
If you do not keep your system up-to-date, you have to be aware that you are running your system with security holes.
Of course, with every update, there is always the risk of malfunctioning. Especially with important systems you want to avoid this. The question is, how much effort does it take if an intruder has caused damage?
A middle ground may be that you do not make automatic updates, but set regular dates for manual triggering, taking into account that you have to spend time checking and fixing problems.
Alternatively, you can at least import security updates automatically.
Then you should take a critical look at the package sources.
Security issue: SSH access
By default, an SSH server is active on a Linux distribution for Raspberry Pi, such as Raspbian. This allows you to log in to Raspberry Pi via SSH using an SSH client from another system over the network, without having to sit directly with the keyboard and screen on Raspberry Pi.
This remote access to Raspberry Pi is anything but safe by default. Even if SSH (Secure Shell) suggests otherwise. It also depends on a secure configuration. This is conveniently set up in the standard installation, but not designed so that Raspberry Pi has contact with the outside world as a server, gateway or router.
If a Raspberry Pi is accessible as a server, gateway or router from the Internet, then you should take care of additional security measures for the SSH access. That’s important and urgent. A Raspberry Pi running a server, gateway, or router with a standard Raspbian is not secure.
Safety note at the end
A server, gateway or router is only as secure as the PC from which it is administered. A Trojan on this PC can be a gateway for the well-protected server.
Leave a Reply